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HEURISTICS ON PAIRING-FRIENDLY ELLIPTIC CURVES 



JOHN BOXALL 



C " 3 ■ Abstract. We present a heuristic asymptotic formula as x — *■ oo for the number of 

^Nj ' isogeny classes of pairing-friendly elliptic curves over prime fields with fixed embedding 

; , , degree fc > 3, with fixed discriminant, with rho-value bounded by a fixed po such that 

O , 1 < Po < 2, and with prime subgroup order at most x. 

I— !■ Introduction 

h^ ■ Pairing-based cryptography protocols first became important with the work of Joux |18j 

^^ , and nowadays have numerous apphcations to the security of information transmission and 

,S^ ■ other fields. Many of these protocols require the construction of elliptic curves over finite 

j^ , fields having very special properties. More precisely, let q = p-' he a power of the prime p 

Cj ■ and let fc > 1, r > 1 be integers. We need to be able to construct an elliptic curve E over 

i__i, the finite field Fg with q elements that satisfies the following: 

(o) E has a point P of order r rational over F^; 
VJ . (b) The group of points E[r] of order r of i? is isomorphic to (Z/rZ)'^ and all the points 

•»^^ ■ of E[r] are rational over the extension field F^k of degree k of F^. 

f~^ , In practical applications, if a security level of s bits is required, it is generally recom- 

CO ■ mended that the integer r should have at least 2s bits (see for example Table 1 in [l4]). 

^D , This is because the PoUard-rho algorithm is generally believed to be the best attack on 

f~^ ■ the elliptic discrete logarithm problem. The subgroup of E{¥q) generated by P should be 

O ! of smaU index in £;(F,). Since i{E{¥q)) € [(^ - 1)^, (^g + 1)^], so that i{E{¥g)) « q, 

^~^ • a convenient measure of the suitability of the curve is the so-called rho-value, defined by 

. . , p = [p7, which ideally should be close to 1. On the other hand, the integer fc needs to be 

^ ■ sufficiently small to allow efficient arithmetic in ¥„k , which in practice implies that fc is at 

k>( , most about 50. These constraints on p and fc imply very strong restrictions on the choice 

5_j ■ of elliptic curve, making suitable curves very rare ([T], [TS], [ID], [13]). For this reason, a 

5r ■ systematic search to obtain curves having parameters of cryptographic interest is completely 

out of the question. 

Although there is considerable recent interest in protocols where the group order r is 
composite ([5], [6], [13j). we shall be concerned in this paper with the more familiar situation 
where r is a prime number, which is assumed to be the case from now on. Since known 
attacks on such protocols are based on the discrete logarithm in the subgroup of order r of 
the multiplicative group F^^, and this is believed to be the same difficulty as the discrete 
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logarithm in ¥\ itself, k cannot be too small. In what follows, therefore, we shall often 
suppose that A: > 3. 

Let E be an elliptic curve over Fg satisfying (a), where r is a prime different from p. 
Following what has become standard usage, the smallest integer k such that q^ = 1 (mod r) 
is called the embedding degree of {E, P) (or just of E if there is no possibility of confusion). 
Alternatively, the embedding degree is just the order of q in ['L/r'L)^ . An argument using 
the characteristic polynomial of the Frobenius endomorphism (see [l] Theorem 1) shows that 
if E is an elliptic curve over Fg that satisfies (a) and if the embedding degree k oiE \s at least 
2, then E also satisfies (6). Let $fe(u') € l^w] denote the k*^ cyclotomic polynomial. Then r 
divides ^k{(l)- On the other hand, if t denotes the trace of the Frobenius endomorphism of 
E over Fq, then tt(i?(Fq)) = g+l-t and so q = t-\ (mod r). It follows that r divides $fc(g) 
if and only if r divides $fc(i ~ !)■ Furthermore, we know from Hassc's bound that \t\ < 2^/q 
and, if we suppose in addition that p does not divide t, then E is ordinary and there exists 
a unique square-free positive integer D and a unique integer y > such that i^ + Dy"^ = iq. 
The endomorphism ring of E is then an order in the imaginary quadratic field Q{\/—D). 
Conversely, if t, D, y are integers and if _D > is square-free, t^ + Dy^ = Aq with q =■ p^ a. 
power of the prime p and p does not divide t, then a theorem of Deuring [TT] implies that 
there exists an elliptic curve E over F^ such that tt(i?(Fg)) = q + 1 — t. If, further, r is a 
prime dividing both q + \ — t and $fe(t — 1), and if the rho- value -^^ is close to 1, then E 
is suitable for pairing-based cryptography. Since we only know how to construct the curve 
E corresponding to a choice of parameters {t,D,y) when D is fairly small {D < 10^^, say, 
see [H]), we shall suppose except in the last section that D is fixed. 

The purpose of this note is to discuss the following heuristic asymptotic estimate. 

Pairing- friendly curves estimate 0.1. Let k > 3 be an integer, let D > 1 be a square- free 
integer and let po € M. with I < po < 2. We suppose that 

(1) {k,D)^{3,3), (4,1), (6,3), 

(2) // {k,D) is such that there exists a complete polynomial family {ro,tQ,yo) with 
generic rho-value equal to 1 (see remark (6) below and ^\^for detailed definitions), 
thenpo>l + ^. 

Let e{k, D) ~ 2 or 1 according as to whether \J —D belongs to the field generated over Q 
by the k-th roots of unity or not, let wd be the number of roots of unity in the imaginary 
quadratic field Q{\/—D) and let ho be the class number of Q{\/—D). Then the number of 
triples (r, t, y) £ 1? with 2 < r < x a prime number dividing ^k{t — 1); t'^ + Dy^ = Ap with 
p prime, y > 0, r dividing p + 1 — t, and p < rf° is asymptotically equivalent as a; —> oo to 

e{k,D)wD f" du 



2pohD J 2 u^-P°{\oguy 

Several remarks are in order. 

(1) If / is a function that is strictly positive for sufficiently large real x and if g is a second 
function defined for sufficiently large real x we say that g is asymptotically equivalent to / 
as X —J- oo if g{x) = f{x){l + o(l)). 

(2) Integrating by parts, we find 

au i X ^i + o( 



^2-po(logu)2 pQ — l(\ogxy\ ^logX 
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where the constant imphed by the O is independent of po- Thus, for fixed po, the number 
of triples is also asymptotically equivalent to 

(0 2) e{k,D)wD xP«-^ 



2pq{po - l)hD (log2:)2 



However, in view of the term po ~ 1 that appears in the denominator in this formula, the 
version with the integral seems preferable. 

(3) Several papers have appeared in the literature showing (either heuristically or uncon- 
ditionally) that pairing- friendly elliptic curves are sparse (see for example [I], |15] §4.1, [20] 
and |23] and also Remark l4.2p . However, to the best of our knowledge, this paper is the first 
to suggest a possible asymptotic formula. 

(4) One knows that two elliptic curves Ei and E2 over ¥q are isogcnous if and only if 
tl(i?i(Fg)) = ^{E2{¥g)). It follows that to each triple there corresponds a unique isogeny 
class of elliptic curves, and it is clear that the embedding degree k and the rho-value j^^ 
are invariant under isogeny. Thus (jO.ip can be interpreted as counting isogeny classes of 
pairing-friendly elliptic curves. For given D, the methods of jl2] construct curves whose 
endomorphism ring is the maximal order of Q{\/—D). On the other hand. Theorem 6.1 
of |25j shows that every isogeny class of ordinary elliptic curves contains a curve whose 
endomorphism ring is the maximal order of Q{\/—D). Thus, if D is sufficiently small, the 
methods of |12j enable one to construct at least one member of an isogeny class corresponding 
to any triple (r, t, y). 

(5) We have supposed that t^ + Dy^ = 4p with p prime rather than a power of a prime. 
However, as is usually the case in analytic number-theoretical situations, we expect solutions 
with i^ -|- Dy^ = Ap^ and / > 1 to be negligible in number as compared with those with 
/ = 1, so they should not affect the asymptotic estimate. Since only finitely many primes 
r divide $a:(— 1), we can suppose that i f^ 0, in which case Deuring's theorem implies that 
every choice of triple (r, i, y) with the properties indicated in (jO.ip corresponds to an isogeny 
class of ordinary elliptic curves suitable for pairing-based cryptography provided po is chosen 
sufficiently close to 1. 

(6) Wc know of only one pair {k,D) for which there is a complete polynomial family 
(ro,ioj2/o) with generic rho-value equal to 1. This is the pair (12,3), and the corresponding 
family is the well-known Barreto-Naehrig family [2] . In this case the degree deg rg of the 
polynomial tq is 4. In general, as we shall explain in § |3l the Bateman and Horn heuristic 
asymptotic formula [3] predicts that a complete polynomial family with generic rho-value 
equal to one will produce more triples than predicted by (|0.ip when po < 1 + -7-^ — . This 
will be a consequence of Theorem 13.11 below. 

(7) On the other hand, the cases (A;, D) = (3, 3), (6, 3) and (4, 1) have to be excluded for 
a trivial reason. These are exactly the values of (fc, D) with fc > 3 and Q{^/—D) is equal 
to the field generated over Q by the fc-th roots of unity; one deduces easily that i^ + Dy"^ 
cannot be of the form 4p with p a prime. See Remark 1 1.2 1 for further details. Recall however 
that this does not imply that there are no pairing-friendly curves when (fc, D) takes one of 
these values, but only that such curves cannot be rational over prime fields. Indeed, when 
(fc, D) = (3, 3), there is a well-known construction of curves over fields of square cardinality 
(see [Tl], § 3.3 and also Remark 14.21 below) . 

(8) We have excluded the cases k = 1 and k — 2. 

When fc = 1 and E has a point P of order r rational over ¥g, there are two possibilities: 
(a) either all the points of E[r] are rational over F,, in which case r'^ < q + 1 + I^Jq by 
the Weil bound, which implies that the rho-value is at asymptotically least 2, or 
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(6) the points of E[r] that are not muhiplcs of P become rational only after extension of 
scalars to F^r, so that computations of any sort are completely infeasible. 

When k = 2 and E has a point P of order r rational over Fg, then r divides q + 1 — t 
and also r divides q + 1, since $2('i«) — w + I. Hence r divides t and again there are two 
possibilities: 

(a) if t 7^ 0, then r < \t\ < 2y/q and so the rho-value is asymptotically at least 2, or 

(6) i = 0, in which case E is supersingular. Suppose for example that the prime r is such 
that 2r — 1 is also prime and take q = p = 2r — 1. By Deuring's theorem, there exists a 
supersingular elliptic curve E over ¥p with fl(i?(Fp)) = p + 1 = 2r. By the Bateman-Horn 
heuristics, there is a constant C > such that number of primes r < x with 2r — 1 prime 
is asymptotically equal to C J^ JW^uW' ^°'" ^^^ corresponding elliptic curves, the rho-value 
approaches 1 as r — > oo. Thus, when fc = 2, we expect far more pairing-friendly elliptic 
curves with r < x than predicted by (|0.ip . 

Thus, we do not expect (jO.ip to give a reasonable estimate for the number of pairing- 
friendly elliptic curves when fc = 1 or fc = 2. Roughly speaking, our heuristic argument will 
fail in these cases because fc E {1,2} when and only when $/c(w) is of degree one, and so 
has only the "constant" root 1 or —1 (mod r) when r varies. But, in view of Lemma 11.11 
below, it is reasonable to assume, when fc > 3, that the probability that a random integer is 
a root of $fc(u)) mod r is ^O. 

Here is a brief outline of the paper. In §[1] we briefly describe a heuristic argument which 
leads to (|0.ip and in §[2] we present numerical evidence for several values of (fc, D) ^ (12, 3). 
In § [3l wc review families of pairing friendly curves and in particular the Barrcto-Naehrig 
complete family [2], and explain why (|0.1|) is expected to fail when (fc, D) satisfies condition 
(ii) of (jO.ip and, in particular, when {k,D) = (12,3). This involves the Bateman-Horn 
heuristic asymptotic estimate on polynomials with integer coefficients and its generalisation 
by K. Conrad [9] to polynomials with rational coefficients that take integer values. Finally, 
in § m we briefly discuss a variant of (|0.ip where D is allowed to vary and compare this with 
the recent work of Urroz, Luca and Shparlinski [23] (see Remark l4.2p . 

We insist on the fact that (jO.ip is only a heuristic assertion, not a theorem. Indeed, proofs 
of most of the hypotheses that are used to derive it and described in § [1] seem to be a long 
way off. 

All calculations reported on in this paper where done using PARI/GP |4] running on the 
GMP kernel [17] and often using PARI's GP to C compiler gp2c . 



1. A HEURISTIC ARGUMENT 

As in the Introduction, we fix an integer fc > 1 and a square- free integer D > 1. If r is 
a prime such that r does not divide kD, r = 1 (mod fc) and —D is a square (mod r), the 
Cocks-Pinch method [8], as explained say in Theorem 4.1 of [14], produces all parameters 
(r, i, y) corresponding to ordinary curves with embedding degree fc and cndomorphism ring 
an order in Q{\/—D) having a point of order r. This means that r divides $fe(i — 1), y > 
and t^ + Dy^ = Ap with p prime, the corresponding curve having coefficients in Fp. As is 
well-known, the rho-value of the curve is usually around 2. The heuristic argument that 
follows will give a measure of the frequency with which it can be expected to give curves 
with smaller rho-values. In what follows, we fix a real number po with 1 < po < 2. We 
wish to estimate asymptotically as cc — )■ (X) the number of triples (r, i, y) € Z^ as above with 
r < X and p < r^" . Thus, the heuristic argument that follows is, in fact, an estimate of the 
expected number of curves with r < x and p < r^" that the Cocks-Pinch method produces. 
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We first recall the following well-known Lemma, which can be extracted from [24] , Chapter 
2 §2: 

Lemma 1.1. Let k > 1 be an integer and let r be a prime number not dividing k. The 
following statements are equivalent. 

(i) The cyclotomic polynomial $fc(u;) has a root (mod r); 

(m) $a:(w) splits into distinct linear factors (mod r); 

(Hi) r = 1 (mod k). 

(iv) r splits completely in the cyclotomic field Q(Cfc) generated over <Q by a primitive k*'^ 
root of unity (^k ■ 

Let r > 2 be any integer. By Lemma II. 1[ the probability that r is prime and splits 
completely in Q(Cfc) is equal to the probability that r is prime and that r = 1 (mod k). 
Since there are (f>{k) residue classes (mod k) consisting of integers prime to fc, the prime 
number theorem generalized to arithmetic progressions implies that this is equal to >,,. . . 

On the other hand, if t is an arbitrary integer, we assume that the probability that 
$fc(t — 1) = (mod r) is £^. Since $1(10) = w + I and $2(w) = tu — 1, this is reasonable 

only when fc > 3. Thus, the probability that r is prime and divides $fe(i— 1) is ^ffc/io r r^ ~ 
1 



r log r ■ 

Next, we estimate the probability that p be prime. To do this, we consider the element 




of the imaginary quadratic field Q(-\/— D). Then tt is a root of x ~ tx + p, so that n is 
an algebraic integer. Write N(a) for the norm down to Q of an element a of Q(-\/— D). 
Then N(7r) = p so that the condition that p be prime is equivalent to the condition that tt 
generate a principal prime ideal of Q{^/—D). By the prime ideal theorem in Q{^/—D) (see 
for example [221 j Chapter 7 §2), the number of principal prime ideals p oiQ{\/—D) of prime 
norm p bounded by X is equivalent to -j^ — ^ ^ as X —^ 00. Applying this with X ~ r^" and 
observing that every non-zero principal ideal of Q{\/—D) has wd generators all having the 
same norm, we deduce that the expected number of primes p < r^" associated to a triple 
(r,i,y) is prime is equal to jr^f^^- 

Finally, we estimate the probability that r divides p + 1 — t, given that r is prime. Now 
p + 1 — t = N(7r — 1), so that the r divides p+\ — t \i and only if there exists a prime ideal 
r lying above r and dividing tt — 1. Since po < 2, this implies that r splits in Q(\A^i5) as a 
product rr of two prime ideals of degree one. The probability that a random algebraic integer 
TT satisfies tt = 1 (mod r) is - and the generalisation to ^{\/—D) of Dirichlet's theorem on 
primes in arithmetic progressions implies that this remains true if tt generates a prime ideal. 
Since there are two primes ideals r and r dividing r, the probability that r divides p+l — t 
given that it splits in Q(-\/— 13) is -. 

On the other hand, the probability that r splits as a product of two degree one primes in 
Q(V^i5) is 1 if ^f^ e Q(Cfe), and \ if not. This is equal to "^^^^ 



Taking all this into account and making various obvious independence hypotheses, we 
obtain that the number of triples (r, i, y) such that r < x is prime, r = 1 (mod fc), r divides 
^k{t — 1), and t^ + Dy^ = 4p with p < r^" a prime should be equivalent to 

1 WDxP° 2e{k,D) _e{k,D)wD v- 1 



^^^rlogrhopologrr 2 poho ^^^ r^-P" {log r)^ 
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Here the sums are over all integers r such that 2 < r < x. Since 

■^ 1 r du 



L^ ^2-po(logr)2 ]^ u2-po(logu)2' 



this estimate differs by a factor of 2 from that in (jO.ip . the difference being due to the fact 
that we assumed in (|0.1|) that y > whereas in the preceding argument the sign of y is 
arbitrary. 

Remark 1.2. The independence hypotheses alluded to above assume that n is an essentially 
random element of the set of algebraic integers of Q{\/—D) such that tt — 1 belongs to one 
of the prime ideals dividing r. In particular, the probability that it generates a prime ideal 
should be that predicted by the prime ideal theorem. This is not true when {k, D) = (3, 3), 
(6,3) or (4, 1), in other words in those cases where Q(Cfc) = Q(V— ^)- Suppose for example 
that {k,D) ^ (3,3). The condition r|<f>3(<- 1) then implies that 4r divides At'^ -4t + 4. On 
the other hand, since Ar divides {t — 2)^ + 3y^ = P — 4t + 4 + 3y^, we find by subtraction 
that 4r divides 3(i^ — y^). When r > 5, this implies that t = ±y (mod 4r). Since |i| < 2r 
and \y\ < 2r, this implies that t = zLy when r is sufficiently large and so t^ + 3y^ cannot 
be of the of the form Ap with p a prime. A similar argument works when {k, D) = (6,3) or 
(4, 1). Thus the use of the prime ideal theorem is not justified in these cases. 

2. Numerical evidence 

In order to test (jO.ip numerically, we wrote a programme in PARI/GP [4] to search for all 
triples (r, t, y) with r in some interval [a, 6], fc, D and po being given. Thus for each prime 
7' = 1 (mod k) belonging to [a, b] such that —D is a square (mod r), the programme finds 
all the roots of $fc(i — 1) = (mod r), searches for those for which \t\ < 2r 2 and then 
those for which there exists y > such that t^ + Dy^ = Ap with p prime and p < rP° , and 
outputs the vector of all scxtuplcs (r, t, y, h,p, p) with r, t, y and p as before, h the cofactor 
defined hy p+ I —t = rh, and p = j^|^ the actual rho-value. 

For a given r, there are two possible strategies for finding t. The first is to factor ^k{x) 
(mod r) using a standard factorisation algorithm for univariate polynomials over finite fields. 
The second is to first choose at random a primitive root g (mod r), so that if s = g~^ 
(mod r), then s is a primitive fc-th root of unity in the field with r elements. The possible 
values of t are then s^ + 1 (mod r) as £ ranges over the integers between 1 and k that are 
prime to k. This is justified by the fact the roots of $fc are precisely the primitive fc-th 
roots of unity. In the range where the systematic search for all triples (r, t, y) is feasible, the 
second method turned out to be the faster although it is clear that for large values of r the 
first method is preferable since k < 50 and the exponentiation to the power ^-^ becomes 
costly. 

In view of the discussion in § [U our programme is basically an implementation of the 
Cocks-Pinch method that selects only those curves with p < po- However, as all primes 
r = 1 (mod k) need to be tested, this cannot be expected in reasonable time to find curves 
in an interval [a, b] where a and b are of a sufficiently large size for the curves to be of 
cryptographic interest (unless the value p is taken to be close to 2). In practice, it was 
found that for given k and D the vector of all sextuples {r,t,y,h,p,p) could be calculated 
in between 15 and 75 seconds when b — a = 10^ and b is smaller than about 10^^. Under 
these conditions, the time taken was roughly proportional to l/(j){k). Also, in view of the 
irregularity that one expects when k and D vary and r is very small, it was decided to 
restrict attention to r > 10^. 
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In what follows we present, for different values of fc, D, po, a and 5, the number N = 
N{k, D, po,a,b) of triples {r,t,y) as in (jO.ip with a < r <b and, for comparison, the value 
of the corresponding integral 

(2.1) I = I{k,D,po,a,b) 



e(fc, D)w£) I' du 



We define /q by Io{k,D, po,a,b) — e{k, D)~^I{k, D, po,a,b): note that /q depends only on 
D and po but not on k. 

For convenience, the tables of numerical data have been placed near the end of the paper. 

Figure [1] gives the values of iV(fc,i:), 1.7, 10^85698768) for all k such that 3 < fc < 
30 and all squarefree D with D < 15 as well a.s D = 19, 23, 43 and 47. This choice 
of D includes all imaginary quadratic fields of class number one except Q(\A^163) and, 
for each integer h less than or equal to 5 at least one field whose class number is equal 
to h. The second line of the table recalls the class number hn of Q{\/—D). The third 
line gives the value of /q = e(fc,i:))-i/(fc,i:), 1.7, 10^ 85698768). The values of /q are the 
reason for the choice of 85698768 as upper limit. In fact, when D is such that wd = 2 
and /iD = 1, then Iq = -pf Jiqb -uu-ino u)'^ — 1000.00 so that the predicted value of 

A''(A;,D, 1.7, 10^, 85698768) is 1000 in these cases. The main part of the table contains 
the values of N{k, D, 1.7, 10^, 85698768), the entries corresponding to values of (fc, D) with 
e(fc, D) =2 are marked with an asterisk; (|0.ip predicts that they should be close to 2/o and 
therefore roughly twice as large as the other entries in the same column. The last line of 
Figure [T] gives the average value of each column as fc varies from 3 to 30, the cases where 
e(fc, D) =2 being counted with weight \ and the excluded values (fc, D) = (3, 3), (4, 1) and 
(6, 3) omitted. (jO.ip predicts that each of these averages be close to the corresponding value 
of/o. 

Figure [5] gives the values of A^(fc,D, 1.5, 10^, 2 x 10^) for the same values of {k,D) as 

Figure[TJ When D is such that wd — 2 and h]j ~ l,wc now have -^0 = ^5 /lo^ u^>-^(\o u)'^ — 
58.17. 

Although all the entries in Figures [1] and [2] (with the exception of those for (fc, D) — (3, 3), 
(4,1) and (6,3)) are of the order of magnitude predicted by (|0.ip . there is considerable 
variation in the actual values, especially in Figure [21 This is perhaps not unexpected, as 
similar variation occurs when one computes the number of values for which polynomials 
simultaneously take prime values and compares the result to the Bateman-Horn heuristics. 
In fact, if tt{x) denotes as usual the number of primes less than or equal to the real positive 
X, no explicit formula analogous to Riemann's formula for t:{x) — J^ j^^ seems to be known 
in the Bateman-Horn context (see for example |19j for a discussion of the case of prime 
pairs). So, presumably it would also be a hard problem to find one in the context of (jO.ip . 

In order to obtain numerical data for larger values of x and examine what happens when 
Po varies, it is necessary to restrict the values of fc and D. The case (fc, D) = (12, 3) will be 
discussed in the next section. Figure ?? presents data for the three cases {k,D) = (28, 1), 
(27,11) and (8,23). In each case, they give the values of N{po) = N{k,D,po,a,b) and 
I{po) = I{k,D,po,a,b) for po € {1.1,1.2,1.3,1.4,1.5} and for each of the three intervals 
(a, b) = (10^, 10^), (10^ 10^°) and (lO^^ - IQio, lO^^ + IQ^y xhese results emphasize just 
how rare triples with rho-values close to one are. For example, if one wanted to construct 
a table like Figure [T] with /q = 1000 but taking po = 1.2 instead of 1.7, (jO.ip suggests that 
one would need to test all r up to about 7.9 x 10^^, which is obviously completely out of the 
question. 
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3. The Barreto-Naehrig family and the case fc = 12, 13 = 3 

The various known methods of constructing pairing-friendly eUiptic curves are reviewed 
in |14| . Since (jO.ip is primarily concerned with ordinary elhptic curves over prime fields 
and assumes that fc > 3, we limit our attention to those methods which apply in these 
situations. We want to understand asymptotically as a; — >■ cx) the number of triples (r, t, y) 
with r < X that belong to such families and have rho-value at most po and compare this 
with the estimate in (|0.1|) . Clearly we can only compare constructions where k and D are 
fixed. 

Apart from the Cocks-Pinch method, which constructs all parameters corresponding to 
ordinary curves and on which our heuristic estimate is based, the other well-known construc- 
tions with k and D fixed are the polynomial families. These fall into two kinds: (a) sparse 
families, of which the most familiar example is MNT families [21]; (&) complete families, of 
which the general construction is due to Brezing and Weng [7]. We refer to [2], § 5 and 6 
for a detailed review of the two kinds of families. 

The idea behind both constructions is to find polynomials ro(w), to{w) and po{w) € Q[w] 
such that ro{w) divides both $fc(<o(w) — 1) and poiw) -I- 1 — to{w). One then seeks values 
Wo of w for which ro(wo), io(w'o) and po(wo) are all integers with ro(wo) prime (or a prime 
multiplied by a very small factor) and po{wo) is prime (or a prime power). The values of 
the integral parameters r. t and p are then respectively ro(wo), to(wo) a-nd poiwo) with 
''o(''i'o) and po(wo) prime. By definition, the generic rho value of the family is ^°|^° . As wq 
tends to infinity, the rho-value of the elliptic curve corresponding wq approaches the generic 
rho-value. 

However, the two constructions differ in the way they treat the parameter y. Define the 
polynomial ho{w) by pq{w) + 1- fo(w) = ro(w)/io(iy). If r = ro(wo), t = to{wo), p = po{wo) 
and h = /lo(u'o)- then the corresponding y parameter satisfies 

Dy^ = 4:p~t^ ^ Ahr - (t - 2f . 

In the case of sparse families, the general idea is choose tq, io and po in such a way that 
Apq{w) — to{w)'^ is of degree two. When this is the case, the affine curve with {w, y)-equation 
Dy^ ~ Apo{w) — to(w)^ is of genus 0. If this curve is to have infinitely many integral points, 
its real locus must be either a parabola or a hyperbola. In all the cases of which we are 
aware, the real locus is a hyperbola. Thus, an affine change of coordinates transforms this 
into a generalised Pell equation Z^ — aY^ = b, with a > is not a square. The integral 
solutions of this are of the form Z + ^JaY = ae", where a runs through a finite set of 
elements of the real quadratic field Q(v^), e is a fundamental unit of Q(-ya), and n S Z. 
From this we deduce that the number of values of r < a: that can arise from a sparse family 
is 0((logx)^). On the other hand, ()0.ip predicts that there are at least ~> ao^x\^ choices of 
the parameters (r, i, 2/,p) with r < x and p < rP° . Thus, sparse families can only contribute 
a negligible proportion of pairing friendly-curves with given k and D. 

In the case of complete families, the basic strategy was described in full generality by 
Brezing and Weng [7]. In addition to tq, to, /iq and pq, we also require a polynomial j/o such 
that to(w')^ + DyQ{w)'^ = 4po(w), so that the y parameter is the corresponding value yo^wo). 
Now, the polynomials vq, to-, yo, ho, po simultaneously take integral values at integers wo 
varying over a finite set of congruence classes modulo some fixed integer. Furthermore, 
if ro and po are to give rise to triples (r, t, y) corresponding to elliptic curves, they must 
simultaneously take prime values. 

Before going further, we recall the Bateman-Horn heuristics [3] in the case of two polyno- 
mials / and g with integral coefficients. We assume that / and g are distinct and irreducible. 
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For any prime p let Np denote the number of solutions of the congruence f{x)g{x) = 
(mod p) and suppose that Np < p for all p. Then let C be given by the conditionally 
convergent infinite product 

<") ^- n (-^)(-; 

p>2 prime 

Then the number of integers wq with 2 < wq < X such that f{wo) and g{wo) are simulta- 
neously prime is asymptotically equivalent to 

(3.2) ^ ^" '"^ 



degrodegpo J2 (logu)^ 

as X — >■ cx). In particular, since C > 0, there are infinitely many wq such that /(it'o) ^nd 
g{wo) are simultaneously prime. 

We need to adapt this statement to polynomials whose coefiicients are rational. Let /, 
g G Q[w] and let n > 1 be a common denominator of the coefficients of / and g. Then there 
are integers rrii with < mi < n such that /{nwQ + rrii) G Z and g{nwa + mi) ^ "L for all i 
and for all wo € Z. 

Then, for each i, we can apply the generalization by K. Conrad (see § 2 of [S]) of the 
Bateman-Horn heuristics to the pair of polynomials w 1— )■ f{nwa + mi) and w 1— >■ /{nwo+nii). 
This implies that (|3.2p still holds, although the value of C will no longer be given by (|3.ip in 
general, but can be computed using Conjecture 5 of [S] . Since in what follows we only need 
the actual value of C in the case of polynomials with integer coefficients, we do not discuss 
this in detail. 

Returning to our discussion of complete families, it follows that there exists a constant 
C" > such that the number of triples (r, t, y) with r < x coming from the family is 
asymptotically equivalent to 

(3.3) 



degrodegpo 72 (logu)^ c}J/''^'''' degrodegp^i i^^ZxY ' 

where €,„ is the leading coefficient of r^ and dcgro is the degree of ro, and the asymptotic 
equivalence of the two displayed formulae is seen by integrating by parts. (Note that in 
general C" will not be equal to C, since both positive and negative values of wq may yield 
triples {r,t,y).) 

As xq — > 00, the rho-value of the triple {ro{'Wo),to{wQ),yo{wo)) approaches j^^^° . Com- 
paring (|0.2p and p.3|) . we deduce that if ^J^^ > po — 1, then the Bateman-Horn heuris- 
tics implies the complete family parametrised by ?'o, to, . . . , asymptotically contains more 
choices of triples than predicted by (jO.ip . On the other hand, the rho-value of the triples 
{ro{_wo),to{wo),yo{wo)) tends to the generic rho-value ^^^^° as wq -> 00, so that this fam- 
ily can contain infinitely many triples with rho-value < po only if -^r^ < Po- It is clear 
that degpo > degro so, since degpo and degro are integers, the conditions ^°f^° < po a-nd 
■^^-p- > Po — 1 are satisfied only if degpo — degro. We deduce (i) of the following 

Theorem 3.1. We keep the notation that has just been introduced and assume the Bateman- 
Horn heuristics together with their generalization by K. Conrad. 

(1) Suppose that po < 1 + ^^"'"^ . Then the complete family {ro,to,yo) asymptotically 
contains more choices of parameters than predicted by liO.l]) . Furthermore, one has 
degpo = degro. 
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(2) On the other hand, if po > 1 + ^^ 
many triples to contradict IIO.I]) . 



then the family does not contain sufficiently 



Point (ii) is proved in a similar way to (i), again comparing of (j0.2p and 
On the other hand, what happens when po = 1 + -t-^ — depends on the relative values of 
the constants appearing in (|0.2p and the right hand side of 



Table 8.2 of [13] summarizes, for all k up to 50, the construction of the family with the 
smallest rho- value and the corresponding value of D. When k > i, the families listed are 
all complete families, and all have degpo > dcgro except when k = 12, in which case the 
corresponding value of i) is 3. When A: = 3, the family is also a complete family and D = i 
and also satisfies degpo = degro, except that pa{w) ~ {iw — 1)^ cannot represent primes 
(see § 3.3 of [M]). 

The case fc = 12 and I? = 3 is thus expected to provide a genuine counterexample to 
(|0.ip . The corresponding family is the well-known Barreto-Naehrig family [5], where 

ro(w) = 36w'' + 36w^ + 18w2 + 6w+l, to(w) = Gw^ + 1, /iqH = 1, 

Vo{w) = Qw^ + 4w + 1, Po{w) = 36i(;** + 36w^ + 24w'^ + 6w + l. 



Since the degree of tq is 4, we expect the family to provide more curves than (jO.ip when 
Po < 1.25. 

This can be tested numerically using similar calculations to those presented in § [1] To 
see the contribution of the Barreto-Naehrig family, we need to calculate the constant C 
appearing in the Batcman-Horn heuristics for it. For any prime p, let Nr^.p denote the 
number of solutions of ro{w) = (mod p) and define iVp^.p similarly. Write Np for the 
number of solutions oi ro{w)po{w) = (mod p). Then N2 = N3 = and Np = A^ro,p + -^po,p 
when p > 5 since po{w) = ro(w) -I- 6w^ so that rg and po cannot have a common root 
(mod p). Since rg and po have integral coefficients, the Bateman-Horn constant is given by 

As written, the product (|3.ip is conditionally convergent and therefore unsuitable for 
numerical computation. Instead, we apply the formula given by the theorem of Davenport 
and Schinzel [TU]. This gives 

„ / 1 ^ -nL^^ r 1 ^ ~N^» 

p>5 



c 



7 



n 

p>5 



1 



Np 
P 



1-i 
P 



-w„ 



p^ 



'-? 



r(2) 



r(4) 



where Np and Np denote respectively the number of irreducible factors of rQ{x)pQ{x) 
(mod p) of degree 2 and of degree 4, p{Krg) and p{Kpg) the residue at 1 of the zcta function 
of the number fields Krg and Kp^ generated over 



7 



1 \-2 



1 \-i 



by a root of tq and a root of po and 



The two infinite products in the Davenport- Schinzel formula for C are now absolutely 

(7) 
convergent. When p> 5 the tabic that follows gives the value of Nf when j ~ 2 and j ~ 4: 



p mod 12 


Po{w) mod p 


Np 


N^'^ 


<^ 


1 


4 roots 


8 








1 


roots 


4 


2 





5 







2 


1 


7 




2 


3 





11 







4 
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Using these formulae and taking the product over aU p with 5 < p < 10^, we find that 
the first product appearing in the formula for C equals 0.88576 . . . and the second equals 
1.26250 .... On the other hand, p{Kra) = 0.36105 ... and p(A'pJ = 0.52642 .... It follows 
that C ~ 17.651. On the other hand, since neither of the polynomials rg and po are even 
functions, the values of ro(u'o) and pq{wq) at negative integers wq will, with finitely many 
exceptions, be different to those at positive integers. Hence C" = 2C so that ^ ~ 2.206 
and, if the Bateman-Horn heuristics are correct, we can expect the number of triples (r, i, y) 
arising from the Barreto-Naehrig family with x' < r < x should be approximately equal to 

Jbn{x\x) ^2.2Q% -. 

^'i/4/V6 (logu)^ 

The following table gives the values of iV(12, 3, po, 10^ 10*) together with iV(12, 3, po, 10^ 10^") 
for po G {1.1, 1.2, 1.3, 1.4, 1.5} and compares them with the corresponding expected value of 
/(12,3,/9o,a, 6)- 



Pa 


1.1 


1.2 


1.3 


1.4 


1.5 


iV(10'*, 10**) 


3 


8 


21 


57 


305 


/(10^10«) 


0.49 


2.25 


10.66 


51.58 


255.11 


iV(10«,10^") 


6 


10 


44 


221 


1655 


/(10«,10^") 


0.47 


3.43 


25.83 


199.07 


1567.0 



The column po = 1-1 of the table contains 3 triples with 10^ < r < 10* and 6 with 
10* < 7' < 10^". All these nine triples {r,t,y) are in fact members of the Barreto-Naehrig 
family: they correspond to the values of the polynomials ro{x) etc. at x = —107, —55, —52, 
—41, —15, 20, 78, 82, 123. This should be compared with the expected contributions from the 
Barreto-Naehrig family which are respectively JBAr(10^, 10*) = 6.05 and JBAr(10*, lO^'') — 
10.26. 



4. What happens when D varies 

Let again D denote a square-free positive integer. As before, we denote the discriminant 
of the imaginary quadratic field Q{\/—D) by do, thus djj = —D ii D = 3 (mod 4) and 
do = —AD if D = 1, 2 (mod 4). If z is small with respect to cc, (|0.ip suggests that the 
number of triples (r, i, y) as above with r < x, p <rP" and \dD\ < z should be equivalent to 



\do\<z 



e(fc, D)wd 
2pohD 



du 



,2-po 



(l0gw)2 



Here we shall not try to give a precise meaning to the condition that z be small with respect 
to X, which would require a discussion of the error term in (|0.ip which would take us too 
far afield. We content ourselves with a heuristic asymptotic estimate for the sum 

e(fc, D)w£) 



E 

|dl3|<2 



2pohD 



as z — > oo. It is well-known that y — D G Q(Cfc) if and only if djj divides k. Furthermore, 
WD = 2 except when D = I or D = 3. Therefore 



E 

dn\<z 



e(fc, D)wd 
2pohD 



-y - 



o(i). 



\dD\<Z 
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where the constant imphed by the 0(1) depends only on k. Estnuates for the sum ^.^ ,^^ hj^ 
for various positive values of a, and in particular a = 1, have been studied since the time of 
Gauss (see for example [H] and the references cited therein). However, we have been unable 
to find any reference to the case a = — 1 which is of interest here. On the other hand, 
heuristic considerations involving the prime ideal theorem and the residue of zcta functions 
at s = 1 for imaginary quadratic fields suggest that 

^1 6 ^ 

f--' ho TT 

\dc,\<z 

and this seems to be confirmed by numerical calculation. This suggest the following heuristic 

Variable D estimate 4.1. Let fc > 3 and po such that 1 < po < 2 be fixed. If z is small 
with respect to x, then, as a; —)■ oo the number J\f{k, z, pQ,x) of triples {r,t,y) as in i0.1\) 
with {dul < z is equivalent to 

6 ^ r du 



POTT J2 U'^^P" (log U)2 ■ 

In particular, if we can take z — x" for some small positive a then, integrating by parts, 
we find that the number of triples (r, t, y) with r < x and \d]j\ < x°^ should be equivalent to 

6 xt+M-i 

poipo- 1)71- (loga;)2 ' 
At present it is not quite clear how large we can take a for this estimate to be reasonable. 
This depends in particular on the size of the error term in (|0.ip . a problem which certainly 
deserves study but we prefer to leave this for future work. One reason for this is that, to 
the best of our knowledge, no detailed discussion of the error term in the Bateman-Horn 
heuristics has appeared in the literature up till now. 

Remark 4.2. In [23], Urroz, Luca and Shparlinski prove a result which implies an uncondi- 
tional upper bound on A/'(A:, z, po, x). In fact, their Theorem 1 implies that 

Af(k,z,po,x) <: 4){k){xP° ^ +x — )z^- — ^ <; (t)(k)x — z^- — ^ ^ 

^ log log X log log X 

where the constants implied by the <i are absolute. This follows from the hypothesis that 
1 < Po < 2, the variable x of [23] corresponds to our x^^' , the y of [23] to our x, and the z 
of [23j is contained between iz and z when z is used in our sense. For constant z, this is 
much weaker than (|0.ip . but when [k, D) = (3, 3) there exists the complete family 

ro{w) = 9w^~3w + 1, to{w) ~ —3w + 1, 2yo(w') = 3w — 1 

ho{w) = 1, qo{w) = {'Sw - if, 

together with a similar family with ro{w) = 9w^ — 9w + 3 (see [T3|, § 3.3). The Bateman- 

1 

Horn heuristics therefore implies that A/'(3, 2, po, x) ^ jr^ — p- for any z > 3 and any pq. A 

1 
similar argument using the Barreto-Naehrig family suggests that Af{12, z, po,x) :> ,^^ ^^ 

for any z > 3 and any po- Thus, the Urroz-Luca-Shparlinski upper bound for a given k is 
strongly related to the existence of complete families with rho- value 1 for at least one value 
of D. 



Table 1. Values of iV(fc,i:), 1.7, 10« 



for 3 < fc < 30 and various D (see § [5] for explanations) 



D 


1 


2 


3 


5 


6 


7 


10 


11 


13 


14 


15 


19 


23 


43 


47 


ho 


1 


1 


1 


2 


2 


1 


2 


1 


2 


4 


2 


1 


3 


1 


5 


/o 


2000 


1000 


3000 


500 


500 


1000 


500 


1000 


500 


250 


500 


1000 


333.3 


1000 


200 


A: = 3 


2087 


1053 


0* 


534 


512 


1012 


514 


1049 


512 


246 


529 


1049 


362 


991 


195 


4 


0* 


998 


3132 


568 


568 


1033 


515 


1066 


510 


282 


507 


1085 


328 


992 


220 


5 


2193 


1001 


3219 


513 


544 


963 


552 


1079 


510 


271 


507 


1004 


345 


1066 


194 


6 


2118 


1008 


0* 


535 


517 


1049 


497 


1032 


521 


261 


509 


1088 


323 


1044 


209 


7 


2107 


1024 


3112 


533 


517 


2098* 


512 


1047 


530 


270 


533 


1061 


346 


1036 


208 


8 


4226* 


2117* 


3115 


505 


520 


1018 


510 


1039 


507 


249 


515 


1056 


338 


1062 


174 


9 


2120 


1014 


6139* 


484 


503 


1041 


507 


984 


512 


228 


549 


1077 


329 


1060 


191 


10 


2167 


1039 


3171 


492 


536 


995 


509 


1038 


539 


267 


523 


990 


347 


1029 


195 


11 


2064 


1033 


3121 


518 


489 


1009 


447 


2084* 


524 


264 


537 


1035 


345 


1069 


205 


12 


4239* 


1048 


6368* 


519 


547 


1009 


518 


1055 


502 


259 


519 


1030 


334 


1078 


205 


13 


1970 


1065 


3061 


544 


504 


988 


476 


1059 


521 


229 


526 


1076 


333 


1028 


192 


14 


2095 


1102 


3243 


560 


546 


2001* 


540 


1023 


532 


278 


533 


1048 


364 


999 


225 


15 


2030 


981 


6221* 


526 


516 


1130 


525 


982 


502 


289 


975* 


1058 


347 


1077 


191 


16 


4183* 


2058* 


3007 


528 


536 


1071 


502 


998 


511 


260 


491 


1001 


361 


1071 


205 


17 


2073 


1008 


3194 


517 


506 


1023 


509 


1015 


482 


254 


470 


1096 


374 


1020 


206 


18 


2139 


1017 


6215* 


534 


512 


1013 


537 


1021 


558 


273 


520 


1016 


334 


1001 


207 


19 


2073 


1031 


3115 


529 


564 


1049 


497 


1048 


566 


229 


518 


2127* 


356 


1025 


205 


20 


4063* 


1071 


3111 


1073* 


517 


1039 


502 


1096 


481 


234 


491 


1028 


325 


1101 


196 


21 


2035 


1068 


6304* 


526 


509 


2016* 


500 


995 


568 


293 


503 


1060 


371 


1019 


199 


22 


2145 


996 


3048 


557 


512 


1042 


533 


2138* 


519 


239 


545 


1059 


345 


988 


216 


23 


2113 


1012 


3185 


530 


521 


1043 


476 


1071 


492 


271 


527 


1059 


682* 


1064 


219 


24 


4161* 


2110* 


6247* 


510 


1055* 


1003 


543 


996 


529 


260 


525 


1031 


333 


1113 


214 


25 


1971 


1102 


3082 


499 


504 


1031 


481 


1038 


540 


248 


523 


996 


374 


997 


227 


26 


2065 


1055 


3230 


493 


525 


1058 


542 


1042 


530 


257 


541 


1083 


336 


1071 


196 


27 


2148 


1049 


6327* 


483 


521 


1035 


516 


1062 


503 


270 


541 


976 


323 


1053 


179 


28 


4189* 


1038 


3119 


547 


514 


2047* 


513 


1042 


506 


268 


480 


1006 


367 


1054 


197 


29 


2153 


979 


3017 


581 


509 


1072 


551 


1040 


522 


263 


500 


1030 


334 


1086 


201 


30 


2153 


1041 


6198* 


494 


535 


1029 


519 


1030 


534 


271 


996* 


1068 


361 


955 


211 


Avg 


2094.4 


1034.8 


3126.6 


524.8 


522.6 


1029.9 


513.3 


1037.8 


520.4 


260.1 


516.0 


1043.9 


345.6 


1041.0 


202.9 



H 

C 

g 

H 
O 

O 
> 



•2. 

9 

3 

H 
•2, 
D 



O 



Table 2. Values of N{k, D, 1.5, 10^, 2 x 10**) for 3 < fc < 30 and various D (sec § [Hfor explanations) 



<i 
X 

o 
m 



D 


1 


2 


3 


5 


6 


7 


10 


11 


13 


14 


15 


19 


23 


43 


47 


ho 


1 


1 


1 


2 


2 


1 


2 


1 


2 


4 


2 


1 


3 


1 


5 


h 


116.3 


58.17 


174.5 


29.09 


29.09 


58.17 


29.09 


58.17 


29.09 


14.54 


29.09 


58.17 


19.39 


58.17 


11.63 


k^3 


132 


69 


0* 


29 


34 


57 


35 


54 


29 


14 


27 


59 


17 


54 


12 


4 


0* 


63 


198 


20 


31 


65 


31 


65 


27 


17 


37 


64 


22 


59 


10 


5 


123 


49 


211 


31 


26 


55 


24 


53 


30 


18 


26 


45 


21 


73 


12 


6 


132 


58 


0* 


36 


41 


61 


22 


61 


32 


10 


29 


63 


14 


56 


13 


7 


111 


59 


190 


34 


32 


119* 


29 


67 


32 


21 


27 


75 


15 


63 


6 


8 


235* 


131* 


181 


30 


26 


56 


27 


47 


34 


16 


30 


64 


9 


61 


9 


9 


132 


60 


367* 


31 


27 


52 


32 


63 


34 


22 


32 


80 


18 


52 


6 


10 


118 


55 


205 


28 


33 


69 


39 


59 


38 


13 


37 


46 


15 


66 


10 


11 


111 


64 


197 


31 


38 


58 


26 


119* 


29 


17 


28 


58 


15 


59 


13 


12 


255* 


42 


419* 


22 


21 


62 


30 


67 


25 


27 


28 


61 


15 


59 


16 


13 


125 


66 


164 


21 


27 


37 


26 


61 


43 


20 


32 


51 


28 


58 


9 


14 


122 


74 


168 


29 


35 


133* 


29 


45 


31 


13 


32 


55 


14 


69 


16 


15 


119 


59 


381* 


32 


30 


64 


28 


57 


30 


19 


57* 


58 


16 


61 


9 


16 


244* 


130* 


193 


30 


32 


58 


33 


53 


28 


9 


27 


71 


18 


77 


15 


17 


133 


62 


194 


32 


33 


60 


22 


55 


30 


10 


36 


78 


16 


66 


11 


18 


133 


59 


316* 


34 


36 


65 


32 


62 


33 


18 


23 


63 


15 


71 


11 


19 


111 


64 


176 


36 


27 


53 


31 


46 


38 


18 


32 


127* 


24 


63 


15 


20 


249* 


60 


176 


64* 


31 


73 


27 


57 


28 


12 


30 


63 


21 


61 


9 


21 


113 


66 


378* 


26 


25 


114* 


26 


51 


33 


18 


30 


60 


25 


57 


12 


22 


123 


62 


184 


25 


34 


55 


30 


127* 


36 


19 


29 


68 


17 


54 


15 


23 


103 


61 


192 


30 


44 


53 


38 


71 


32 


24 


17 


60 


44* 


71 


13 


24 


207* 


129* 


343* 


28 


48* 


64 


25 


69 


26 


14 


40 


60 


15 


51 


15 


25 


96 


65 


186 


40 


26 


60 


33 


79 


34 


12 


28 


67 


20 


57 


10 


26 


144 


57 


173 


33 


35 


66 


36 


65 


31 


14 


32 


45 


18 


59 


11 


27 


135 


51 


354* 


44 


40 


59 


27 


76 


21 


17 


17 


62 


27 


56 


10 


28 


266* 


66 


220 


25 


30 


123* 


31 


66 


31 


19 


34 


65 


23 


71 


11 


29 


113 


69 


170 


34 


23 


69 


29 


60 


26 


21 


25 


69 


23 


43 


12 


30 


109 


67 


388* 


24 


37 


47 


26 


55 


29 


13 


69* 


47 


25 


55 


12 


Avg 


121.0 


61.50 


186.6 


30.25 


31.36 


59.38 


29.43 


60.25 


31.07 


16.61 


29.57 


61.45 


18.86 


60.79 


11.54 
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Data for k = 28, D = l, poE {1.1, 1.2, 1.3, 1.4, 1.5}. 



Interval 


10** < r < 10** 


10** < r < 10^" 


10^^ - 10^'J <r< W^ + 10^" 


N{1.1) 





1 





/(l.l) 


0.325 


0.311 


0.002 


N{1.2) 


3 


6 





/(1.2) 


1.502 


2.286 


0.022 


7V(1.3) 


8 


24 





/(1.3) 


7.104 


17.22 


0.321 


N{1A} 


37 


135 


5 


/(1.4) 


34.39 


132.71 


4.723 


7V(1.5) 


188 


1128 


73 


/(1.5) 


170.07 


1044.7 


69.86 


Data for k = 27, D = 11, po e {1-1, 1-2, 1.3, 1.4, 1.5}. 


Interval 


lO*" < r < 10** 


10** < r < 10^" 


10^^ - 10^'J <r< W + 10^" 


N{1.1) 











/(l.l) 


0.081 


0.078 


0.00038 


7V(1.2) 





2 





/(1.2) 


0.375 


0.57 


0.0055 


N{1.3) 


1 


5 





1(1.3) 


1.78 


4.31 


0.080 


N{1A) 


9 


30 


1 


/(1.4) 


8.60 


33.18 


1.18 


7V(1.5) 


57 


271 


22 


/(1.5) 


42.52 


261.17 


17.46 


Data for k ^ 8, D = 23, po £ {1-1, 1-2, 1.3, 1.4, 1.5}. 


Interval 


lO*" < r < 10** 


10** < r < 10^" 


10^^ - W <r< W' + W> 


N{1.1) 











/(l.l) 


0.027 


0.026 


0.00013 


N{1.2) 











/(1.2) 


0.125 


0.191 


0.00183 


7V(1.3) 





1 





/(1.3) 


0.592 


1.435 


0.0267 


N{1A) 


1 


16 





/(1.4) 


2.866 


11.06 


0.394 


7V(1.5) 


7 


76 


6 


/(1.5) 


14.17 


87.06 


5.821 
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